CORS

CORS (Cross-Origin Resource Sharing) is the browser mechanism that controls when JavaScript from one origin can read responses from another. By default, browsers block cross-origin XHR/fetch responses — CORS headers from the server unlock controlled access.

The two main response headers:

• Access-Control-Allow-Origin: which origins can read the response. Either a specific origin or * (any).
• Access-Control-Allow-Credentials: whether cookies are allowed to flow with cross-origin requests. true requires the origin to be specific, not *.

For requests that aren’t “simple” (custom headers, non-GET/POST methods, JSON bodies), the browser sends a preflight OPTIONS request first to check what’s allowed. The server responds with Access-Control-Allow-Methods and Access-Control-Allow-Headers; the actual request only fires if preflight succeeds.

Common misconceptions: CORS isn’t a server-side security mechanism — it’s a browser-enforced restriction that protects users from one site reading data on their behalf from another site. Servers can still receive and process cross-origin requests; CORS just controls whether the browser hands the response back to the calling JS.